Today, I’ll cover some of the basics of monitoring Multi-Factor Authentication and why ensuring MFA is implemented is essential, particularly in environments where remote access is possible. I’ll cover some recent, specific case studies where a lack of MFA has led to security breaches and the mechanisms the bad actors used.
Finally, I will also cover some tips and MFA best practices including how to ensure synthetic monitoring and simulated testing does not become an Achilles’ heel and weak point in your AVD monitoring strategy.
What is MFA (Multi-Factor Authentication)?
The CISA states that MFA (Multi-Factor Authentication) prevents unauthorized access to your data and applications by requiring a second method of verifying your identity, making you much more secure.
By “a second method”, this means at least one secondary method to verify identity. 2-FA (Two Factor Authentication) is a sub-genre of using 2 methods but MFA is a broader church that can encompass the use of a combination of two or more methods for verifying identity.
Why MFA Really Matters for Remote Access?
Historically, many organizations relied on a kind of implied form of MFA. User accounts were primarily protected by a password, a degree of secondary protection was provided by the fact that users were expected to access resources from on-premises hardware connected to private networks. Anyone using the password could be assumed to be literally within the building.
Multi-Factor Authentication (MFA) is now essential for remote access because it strengthens security in environments where traditional perimeter defenses such as office firewalls can no longer provide implied protection.
How Passwords Can Be Compromised
I’ll cover some recent case study of breaches that will equip you with data points and resources around which you can formulate an MFA strategy but first let’s recap on some of the nomenclature around mechanisms that compromise passwords. Passwords can be compromised in many ways, common methods include:
- Phishing attacks: Trick users into revealing passwords via fake emails or websites.
- Keylogging malware: Records keystrokes to capture login credentials.
- Credential stuffing: Uses leaked credentials from one site to access others.
- Brute force attacks: Repeatedly guesses passwords until one works.
- Password reuse across sites: A breach on one site compromises others.
- Social engineering: Manipulates users into giving away their passwords.
- Data breaches/leaks: Exposes large databases of passwords.
- Shoulder surfing: A bad actor observes users typing passwords in public.
- Insecure password storage: Stores passwords in plain text or weakly hashed formats.
- Man-in-the-middle (MITM) attacks: Intercepts credentials during transmission.
MFA Failures and High-Profile Breaches
The postmortem-like analysis of several high-profile breaches that could have been avoided if MFA was in-place have raised awareness of the need for IT administrators to identify systems that are not enforcing MFA.
1. The British Library ransomware attack (Oct 2023)
Attackers accessed a Terminal Services server used by third-party contractors on which no MFA was enforced, leading to a 600 GB data leak. The British Library have been incredibly transparent and published their in-depth analysis, many summary articles have been written such as – Third-Party Breach and Missing MFA Led to British Library Attack – Infosecurity Magazine. It is however worth reading the Library’s own full report, available here: bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf/.
Key points:
- The Library were unable to ascertain for sure how the passwords were compromised, mooting – “The most likely source of the attack is therefore the compromise of privileged account credentials, possibly via a phishing or spear-phishing attack or a brute force attack where passwords are repeatedly tried against a user’s account.”
- The Library’s own report concluded: “Multi-factor authentication needs to be in place on all internet-facing endpoints, regardless of any technical difficulties in doing so. The Library had MFA in place for all end-user technologies, but not on certain supplier endpoints.”
2. British Airways Data Breach – 2018
Attackers used stolen credentials from a Swissport (third-party cargo handling contractor) employee, which lacked MFA protection. They accessed a Citrix environment and eventually compromised domain admin credentials stored in plaintext.
The absence of multi-factor authentication allowed attackers to use those credentials without any second layer of defense. The hackers then installed a custom skimming script that captured the personal and payment card data (including CVV codes) of approximately 380,000 customers.
In October 2020 the UK Information Commissioner’s Office (ICO) fined British Airways £20 million for breaches of General Data Protection Regulations related to the breach. A legal claim by customers who had been affected by the breach was settled out of court in 2021.
Interestingly, the logging and storing of the credit card details (including, in most cases, CVV codes) was not an intended design feature of British Airways’ systems and was not required for any particular business purpose. This was a test feature inadvertently left running through “human error”.
A fuller analysis can be read, here: British Airways data breach – Wikipedia.
3. Microsoft corporate breach (Late 2023/Jan 2024)
Russian‑aligned group Midnight Blizzard compromised a legacy test tenant account without MFA, gaining access to senior exec emails. The initial breach was achieved through a low-volume password spraying technique.
Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications.
Read more: Midnight Blizzard: Guidance for responders on nation-state attack | Microsoft Security Blog.
Point of note: A lack of MFA is often associated with other security weaknesses
Beyond the lack of MFA, other significant factors can be seen in the few examples I’ve highlighted. We see:
- Missing MFA means easy initial access with stolen credentials
- A lack of MFA allows attacks via mechanism such as password spraying
- Third-party contractor accounts treated as less of a risk than others with external access
- Legacy test systems and accounts are often overlooked
MFA for Synthetic Monitoring of AVD
Synthetic monitoring is a proactive method of monitoring application and service performance by simulating user interactions or transactions at regular intervals from specific locations.
By regularly probing logons and user workflows with robot users periodically, administrators can discover issues before real users are impacted.
eG Enterprise offers a full range of synthetic monitoring features for AVD from a logon simulator to full-session multi-app workflow simulators. To protect your systems we offer a range of options for implementing MFA when using synthetic monitoring for AVD or the other digital workspace technologies supported by eG Enterprise.
How to Use TOTP (Time-Based One-Time Password) for Two-Factor Authentication in AVD Environments
Two-Factor Authentication (2FA) adds an extra layer of account protection by requiring two distinct forms of authentication. Time-Based One-Time Password (TOTP) is one of the most commonly used 2FA methods, generating dynamic 6-digit codes that typically change every 30 seconds. These TOTP codes are used alongside standard user credentials to enable secure access to your AVD environment.
In Azure Virtual Desktop (AVD) environments, TOTP-based authentication is referred to as “OATH software tokens” within Microsoft Entra ID (formerly Azure AD).
Enabling TOTP (OATH Software Tokens) Based 2FA in AVD for eG Enterprise Logon Simulator
In a few simple steps you can protect your synthetic monitoring systems, simply:
- Register your Microsoft AVD logon simulation endpoint as an application in Microsoft Entra ID (formerly Azure AD).
- Obtain the secret key from your registered endpoint.
- Choose an authenticator app that supports TOTP, such as Microsoft Authenticator, Google Authenticator, etc.
- Add your secret key to the authenticator app by manually entering it or scanning the QR code.
- TOTP codes generated by your authenticator app can be used to log in to your Microsoft Azure Virtual Desktop (AVD) environment.
Configuring TOTP-Based 2FA in Microsoft AVD Logon Simulator Test
During simulation, the Microsoft AVD Logon Simulator automatically generates the TOTP using the shared secret key and the current time. This TOTP is submitted along with the user credentials during the login process. After successful authentication, the simulator reports the total time taken to complete the login process. If authentication fails due to MFA service outages, connectivity issues, time synchronization errors, or other causes, the simulator triggers alarms with supporting screenshots for further analysis.
Using the graphical view of the simulation process shown below, administrators can clearly identify which step in the logon sequence caused failures or slowness. This facilitates the precise isolation of specific failure or delay stages in the simulation—whether during login, enumeration, session establishment, application launch, or logoff.
Learn more about synthetic monitoring for AVD and Azure DaaS, see: Synthetic Monitoring of Microsoft Azure DaaS | eG Innovations.
eG Enterprise is an Observability solution for Modern IT. Monitor digital workspaces,
web applications, SaaS services, cloud and containers from a single pane of glass.
